[pfSense] Open VPN or IPSec for site to site VPNs
david at westcontrol.com
Fri Apr 20 15:04:09 EDT 2012
On 20/04/12 20:08, Jim Pingle wrote:
> On 4/20/2012 12:23 PM, Gavin Will wrote:
>> Traditionally used IPSec VPN's for site to site links however with replacing remote site routers with PFsense boxes I thought about using Open VPN instead.
>> Any pro's cons?
>> I quite like the ability to push a route easily with OpenVPN.
> Off the top of my head...
> Pros for OpenVPN:
> * Plays nicer with NAT and other intermediate filtering, since it only
> requires a single UDP or TCP port
> * Able to route traffic arbitrarily on a basic VPN setup
> * No issues with reconnecting/disconnecting
> * Easy to add secondary peers
> * Very easy to setup a remote access VPN with authentication
> * Shared key mode works well with OSPF for dynamic routing
> Cons for OpenVPN:
> * Little in the way of vendor compatibility, mainly only found on OSS
> * People have a tendency to fear the unknown so they don't try it, or
> dislike it because it's unfamiliar. Once they drink the kool-aid though,
> they rarely stop. :-)
> Pros for IPsec:
> * Long-lived standard
> * Many implementations on many devices, can usually build a tunnel to
> just about anything
> * Fairly easy to build a tunnel between two firewalls
> * Familiarity, many people use it because they have used it before.
> Cons for IPsec:
> * Long history of problems reconnecting/rebuilding tunnels
> * Rare if devices support multiple peers
> * Implementations between vendors can often have quirks
> * Requires both UDP and ESP for Tunneled traffic
> * Remote access/mobile clients can have issues, but may work (see our
> ticket system for open issues)
> * Lots of problems traversing NAT or behind restrictive firewalls/networks
> * Routing arbitrary networks (not using Phase 2's in tunnel mode)
> requires IPsec in transport mode + GIF/GRE, which few vendors support.
I'd add another couple of pros for OpenVPN:
* It's easy to set up multiple independent OpenVPN VPN's on the same
server or client, running on different ports on the same IP address.
* If you don't mind installing a little extra software, it is easy to
use on lots of different clients.
* It's easy to set up an OpenVPN server in existing networks with
minimal changes - all you need is a port forward from the firewall
through to the OpenVPN server.
We have several independent OpenVPN setups on a server, with clients
able to connect with different accesses. And some of our users have
multiple client setups on their laptops for connecting to many different
More information about the List